RubySec

Providing security resources for the Ruby community

CVE-2018-1000855 (easymon): Reflected XSS in Firefox in check endpoint

ADVISORIES

GEM

easymon

PATCHED VERSIONS

  • >= 1.4.1

DESCRIPTION

When passing an invalid check name as parameter to the endpoint where the easymon routes are mounted, a 406 response with a body that contains the invalid check name unescaped is returned. Malicious JavaScript can be injected into that invalid name and have it executed in Firefox